Prisma Access Browser
Onboard Prisma Access Browser on the Strata Cloud Manager
Table of Contents
Expand All
|
Collapse All
Prisma Access Browser Docs
Onboard Prisma Access Browser on the Strata Cloud Manager
Prisma Access Browser
on the Strata Cloud Manager
Learn how to onboard
Prisma Access Secure Enterprise Browser
(Prisma Access Browser
) on the Strata Cloud Manager
and integrate with Prisma Access
. Where Can I Use This? | What Do I Need? |
---|---|
|
|
See the prerequisites before you begin this
task.
Complete the Pre-Onboarding Tasks
Before onboarding
Prisma Access Browser
, there are a couple tasks that you
must perform before you can proceed.- Define the Cloud Identity Engine entities. This can be configured by using the Cloud Identity Engine that you selected during the activation process.
- You need the Authentication profile and the User groups that are part of your onboarding process. These are configured in the Cloud Identity Engine. For more information, refer to the Authentication profile and User groups.You can only have one Authentication Profile. If you use more than one Identity Provider (IdP), you can configure multiple IdPs per profile. This can be done with theAuthentication Modechoice ofMultiplewhen you configure the Authentication Profile.
Add IdP Configuration
You can use your current SAML IdP provider to manage a single set of login
credentials in your network. The IdP configuration is a component of the
Cloud Identity Engine, and you can manage it within that tool.
- In the Cloud Identity Engine, selectAuthentication Type.
- ClickAdd New Authentication Type.When you use the IdP provider’s information to populate your user groups, you need to make sure to correctly enter a valid email address. The UPN isn't sufficient.
- In the Set Up Authentication Type, click SAML 2.0Set Up.
- To continue configuring your SAML Authenticator, refer to Configure a SAML 2.0 Authentication Type in the Cloud Identity Engine.
- (Optional) Use Google Workspace Integration.
Onboard the Prisma Access Browser
Prisma Access Browser
After you do the pre-onboarding steps, you can onboard the
Prisma Access Browser
on
the Strata Cloud Manager
.You need to activate and configure the
Prisma Access Browser
in the Strata Cloud Manager
before you can add users. In general, this is a one-time
procedure that you only need to perform once after Activation, however you can
return to perform these tasks anytime you need to modify them. There is a Wizard that you can use for this process, and you can modify
the global configuration at any time. The Wizard provides detailed instructions
on completing each step of the integration.
The controls that you see depend on your
Prisma Access Browser
license;
not all the Onboarding functionality in the Strata Cloud Manager
is available
for all licenses. From the
Strata Cloud Manager
, select Workflows
Prisma Access
SetupPrisma Access Browser.
Step 1 - Users
Define the user authentication method and onboard User groups.
- From the dropdown list, select theCIE profile that will be used for User Authentication.
- From the User groups dropdown list, select theUser groupsthat will be able to accessPrisma Access Browser.
- Next:.Prisma AccessIntegration
Step 2 - Prisma Access Integration
Prisma Access
Integration- Enable external connectivity toPrisma Access.
- SelectGo to Explicit Proxy settings.
- This takes you to.WorkflowsPrisma AccessSetupExplicit Proxy
- Enable thePrisma Access Browser.
- Done.
- Allow thePrisma Access Browserin thePrisma Accesssecurity policy.
- SelectManage >.Prisma Access> Security Policy
- This takes you toManagePrisma AccessSecurity Policy.
- Add a rule that allows web traffic in your security policy.
- Push configuration to accept the rule.
- Done.
- Create a service connection.
- SelectCreate a service connection.
- This takes you toandWorkflowsPrisma AccessSetupService ConnectionsAdd Service Connection.
- Done.
- Next: Routing.
Step 3 - Routing
The Routing control allows you to manage the way that the
Prisma Access Browser
handles network traffic. This feature sets up the default configuration for
Prisma Access Browser
. If you need to adjust the granularity of the control
for a specific Rule, refer to Browser Customization Controls for traffic flows .- Choose one of the following options:
- Only route private application traffic through Prisma Access.
- Route all traffic through.Prisma Access
- (Optional) Ensure that thePrisma Access Browsertraffic flows in an optimal manner when the browser detects it's running within the internal network. This identification is based on establishing a connection with a host that is only available inside the internal network.
- Enter the FQDN to resolve.
- Enter the expected IP address.
- Next: Enforce SSO applications.
Step 4 - Enforce SSO Applications
It's important that the only way your users can authenticate on SSO-enabled
applications is by using the
Prisma Access Browser
. This will ensure that
external actors will have no access to your enterprise applications. To
select your IdP:- In the Choose and configure your identity providers, select the available IdP. The options are:
- Okta
- Microsoft Azure Active Directory
- PingID
- OneLogin
- VMware workspace ONE Access
- When you configure your local settings, be sure to take note of the egress IP addresses.
- Next: Download and distribute.
Step 5 - Download and Distribute
You can download the
Prisma Access Browser
installation files to test on your own device before sending it out to your
users. Once you're satisfied with your tests, you can download the relevant
installer to be distributed by your mobile device management (MDM) application.
You can also send your users the download link so that they can download
the
Prisma Access Browser
on their own. This is a single link for macOS and
Windows users only. - Select from the available options:
- Desktop:
- macOS
- Windows
- Mobile:
- iOS
- Android
You can also send your users the download link so that they can download thePrisma Access Browseron their own. This is a single link for macOS and Windows users only.If you send your users the download link, remind them that they can only log in with the email that is configured in the IdP service. - Next: Browser Policy.
Step 6 - Browser Policy
You can now begin to explore and configure the
Prisma Access Browser
Policy Engine to create a safe and secure user
environment.- SelectBrowser Policy.
- This directs you to.ManageConfigurationPrisma AccessBrowserPolicyRules
- ManagePrisma Access BrowserPolicy Rules.
Onboard New Users
The Onboarding workflow is a configurable series of windows displayed
when a new end user starts using the browser.
Based on the IT needs and requirements, you can select up to eight
individual pages that allow the end users to customize the browser with their
pictures and bookmarks, and to find out some basic information about the browser
– a sort of “Quick-Start” guide.
The Onboarding Wizard customization control configures the Onboarding
workflow. You can select which windows will be displayed in your network.
You configure this in when you create or edit a
Manage
Configuration
Prisma Access
BrowserPolicy
Profiles
Browser
Customization
profile and choose Onboarding
Wizard
. For configuration details, see the Browser Customization
Controls for the Onboarding Wizard.